WannaCry shows that businesses and governments must cooperate
World Economic Fourm (Global)
Syed Munir Khasru
June 1, 2017
On May 12, the world suffered one of the worst cyber-attacks in history as the ransomware “WannaCry” held data from 230,000 computers hostage in at least 150 countries, earning over $80,000.
A ransomware, once activated, encrypts access to the data of a computer or a network until a sum is paid. Infected organizations during the attack included both public and private entities across the globe, from the UK's National Health Service (NHS) to FedEx, Chinese universities and even the interior ministry of Russia.
Cybercrime has globally evolved into a growth industry where risks are low and returns are high. McAfee, one of the leading computer security companies, estimates that cybercrimes annually cost the global economy more than $400 billion. The figure is expected to increase manifold as projections lead to a staggering sum of $2.1 trillion by 2019. On the other hand, the importance of internet connectivity cannot be understated in terms of global economic and social development. Connectivity is changing the way we work, socialize, create and share information, and organize the flow of people, ideas and things around the world.
According to UNCTAD, $22 trillion exchanged hands in 2016 through e-commerce, which accounts for 3.1 percent of global GDP. The global communications network connects people and supply chains almost anywhere in the world. However, criminals can access these company systems from nearly any jurisdiction, resulting in the widespread exploitation of networks in an organized manner. Computer systems today are extremely complex, with millions of lines of code. It is natural for even the best organizations to have loopholes. This is why developers rigorously monitor and frequently update their software.
The WannaCry breach was facilitated by leaks from NSA documents which outlined flaws in outdated versions of Microsoft Windows, that were subsequently exploited by the hackers to spread the virus. The National Security Agency (NSA) has long been following such a strategy of finding loopholes in key software systems and hoarding information to utilize the flaws in times of need for political and military gains.
The strategy has indeed been successful in some cases in the past; when the US used the Stuxnet virus to slow down Iran’s proliferation of nuclear technology or brought down North Korean missiles through the “left-of-launch” strategies. However, the recent attack has exposed a glaring flaw in this strategy, as a deliberate lack of coordination from the government’s part with the private sector (Microsoft) resulted in major financial loss; but more importantly a loss of access to crucial data that could mean life or death for some, as in the case of the NHS.
As hospitals diverted ambulance services and switched off non-emergency services, it was striking that any individual with a laptop and access to the internet was capable of affecting so many lives worldwide. The anonymity and maneuverability of the internet provides cybercriminals access to remote resources at lower costs and lesser risks, making committing cybercrimes a lucrative prospect. Recovering stolen data or money can become impossible, even when the perpetrators are apprehended. Such was the case during the Bangladesh central bank heist in 2016, when hackers siphoned off $81 million from Bangladesh central bank's Federal Reserve account in New York, which were immediately laundered through multiple casinos in Philippines. So far, only $15 million have been recovered while getting the rest back seems increasingly unlikely.
In the age of connectivity, cyber weapons have grown to be the most threatening means to wage attacks, as their span broadly ranges from political targets to financial embezzlement.
However, the greatest threat from cyber weapons is their potential to take control of military equipment, as the usage of smart weapons continues to grow. While no significant attacks have taken place in this arena, the signs are growing that this is a real risk. In 2015, the German Patriot air and missile defense systems, stationed at the Turkish border with Syria, was compromised as the system carried out “unexplained” commands for a short period of time. Although the breach was identified and neutralized swiftly, one can easily imagine the catastrophic leverage that the hackers could have gained if they had full access to a system that included six launchers and two radars.
In light of such massive breaches, the world’s preparedness in tackling these risks is now under serious scrutiny.
There is an urgent need to develop an international platform for strengthening online infrastructure and protecting information assets. The Wannacry attack has reinforced the importance of keeping computer systems critical for operations separate from internet access. While that might not be possible for many systems since leveraging connectivity provides organizations with competitive advantage, addressing complacency of users can limit the progression of a virus to a large extent. In most cases viruses are spread when someone clicks a rogue email link or uses outdated systems, as was the case during the Wannacry attack. Strict monitoring and awareness measures, supported by appropriate legal systems can help address this issue. However, when it comes to monitoring and privacy, careful trade-offs need to be weighed in between the values inherent in an increasingly connected world and the risk of operational disruption, intellectual property loss, public embarrassment, and fraud.
What is more important is the need for transparency when it comes to forging partnerships between the government and private sector. The WannaCry attack could have been avoided, or at least mitigated to a large extent, had NSA alerted Microsoft about the security loophole before it was too late for affected computers to update the software.
Security needs to be integrated into the technology environment, helping individuals understand the risks of the public and private information they deal with every day. Training, raising awareness, and working with stakeholders are the way forward as lines are getting blurred between individuals and institutions, nations and borders, connectivity and casualty.